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Abstract 


The  objective  of  this  project  is  the  development  of  an  integrated 
suite  of  technologies  focusing  on  end-to-end  software  development 
supporting  requirements  analysis,  design,  implementation,  and  ver¬ 
ification  [Bro04a],  This  final  progress  report  summarizes  the  work 
that  has  been  performed  within  this  project.  It  contains  an  overview 
about  the  project's  achievements  in  respect  to  original  problem  state¬ 
ment,  the  technical  work  of  the  related  work  packages,  and  reports 
on  our  cooperations  with  leading  US  institutes. 
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1  Problem  Studied 

The  tight  integration  of  requirements  elicitation,  validation,  verification, 
and  documentation  allows  iterative,  or  evolutionary,  development  pro¬ 
cesses  to  produce  systems  more  efficiently  than  classical  top-down  devel¬ 
opment  processes.  This  integration  requires  suitable  means  for  organizing 
and  interrelating  the  different  documents  that  are  created  during  devel¬ 
opment.  Especially  for  large  systems,  machine  support  for  creating  and 
organizing  these  documents  is  desirable  and  necessary.  The  advent  of 
powerful  techniques  for  requirements  tracing  (as,  e.g.,  exhibited  by  the 
DOORS  tool)  as  well  as  recent  advances  in  validation/verification  tech¬ 
nology  let  time  seem  ripe  for  an  integration  of  these  approaches  into  one 
single  integrated  CASE  tool  framework.  Such  a  framework  would  allow 
for  significantly  reducing  the  cost  of  systems  development. 

The  cost  of  quality  assurance  (active  and  passive)  is  usually  recognized  to 
be  one  key  cost  driving  factor.  Shorter  time-to-market  and  more  complex 
problems  are  likely  to  even  increase  the  importance — and  thus  cost — of 
this  factor.  This  is  particularly  true  for  embedded  systems  which  are  de¬ 
ployed  in  large  numbers  (e.g.,  automotive  controllers  or  smart  cards). 

Commonly  accepted  approaches  to  reducing  the  cost  of  quality  assurance 
include  model  based  development  processes,  extensive  testing  and  docu¬ 
mentation,  controlled  requirements  tracing,  and  the  application  of  sophis¬ 
ticated  verification  and  test  case  generation  techniques. 
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The  projects  aims  at  fostering  cooperations  with  renowned  research  insti¬ 
tutes  in  the  US,  in  particular  with  the  Stanford  Research  Institute  and 
Prof.  Zohar  Manna's  REACT  Group  at  Stanford  University,  in  the  field 
of  embedded  systems  design  based  on  synchronous,  time-triggered  archi¬ 
tectures.  The  goal  is  to  develop  an  integrated  approach  to  modeling,  tracing, 
and  verifying  embedded  automotive  systems,  together  with  dedicated  tool 
support.  It  is  expected  that  the  prospective  results  carry  over  to  other  ap¬ 
plication  domains  as  well. 

The  project  main  topics  include:  Requirements  tracing,  verification  tech¬ 
niques,  and  testing  for  synchronous  systems. 


Requirements  Tracing  An  entire  process  for  requirements  tracing  needs 
an  integration  of  a  modeling  tool  (e.  g.  AutoFocus)  and  a  requirements 
management  tool  (e.  g.  DOORS  from  Telelogic,  one  of  the  most  popu¬ 
lar  requirements  management  tools  available).  Such  an  integrated  tool¬ 
box  would  be  able  to  be  used  for  capturing  and  structuring  requirements. 
It  would  provide  support  for  incremental  system  development.  The  re¬ 
lations  between  informal  requirements,  formal  requirements,  test  cases, 
verification  properties  and  system  design  would  be  documented  and  it 
is  possible  to  validate  whether  the  requirements  are  fulfilled  by  the  sys¬ 
tem  design  or  not.  This  advanced  tool  support  would  lead  to  less  errors 
in  system  analysis,  design  and  implementation  resulting  in  lower  system 
development  costs. 


Verification  of  Synchronous  Systems  To  support  the  verification  ap¬ 
proach  of  quality  assurance  in  the  development  process,  an  integration  of 
the  modeling  tool  (AutoFOCUS)  and  the  requirements  management  tool 
(DOORS)  together  with  verification  tools  (automatic  and  interactive)  is 
necessary. 

An  integrated  tool  box  must  support  the  export  of  models  into  formal 
theories  of  the  verification  tool  and  the  translation  of  suitable  classes  of 
requirements  (universal  properties)  from  the  requirements  management 
tool  into  temporal  logic  and  predicate  logic  specifications. 

In  addition  to  the  implementation  work,  preliminary  theoretical  work 
must  determine  formalizations  of  synchronous  models  that  are  amenable 
to  interactive  verification.  In  addition,  abstraction  techniques  must  be  ex¬ 
plored  to  make  verification  feasible. 
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Testing  Synchronous  Systems  Because  of  gaps  in  a  formally  based  de¬ 
velopment  process,  such  as  interactions  of  software  with  hardware  devices 
or  the  integration  of  a  system  into  an  existing  one,  mathematically  estab¬ 
lished  propositions  on  the  level  of  models  yet  have  to  be  complemented 
by  test  cases  for  the  actual  implementation.  In  addition,  the  complexity  of 
industrial  systems  makes  them  not  always  amenable  to  a  complete  math¬ 
ematical  analysis  (e.g.,  the  state  space  explosion  problem).  Specialized 
techniques  for  deriving  test  sequences,  together  with  a  methodologically 
founded  strategy  for  selecting  test  sequences,  is  thus  a  necessary  supple¬ 
ment  to  verification  technologies. 


2  Summary  of  Most  Important  Results 

In  this  section,  we  highlight  the  most  important  results  obtained  in  each 
of  the  research  areas  Requirements  tracing,  verification  techniques,  and  testing 
for  synchronous  systems.  Furthermore,  we  report  on  case  studies  carried 
out,  summarize  the  project's  documentation,  and  describe  the  coopera¬ 
tion  with  leading  US  research  institutes  and  universities  established  and 
strengthened  within  the  project. 

2.1  Requirements  Tracing 

We  have  defined  a  requirements  engineering  process  that  delivers  and 
maintains  a  formal  specification,  realized  tools  supporting  this  process, 
and  worked  out  modeling  formalisms  for  requirements. 


Integrated  Development  Process  We  worked  out  the  definition  of  a  re¬ 
quirements  engineering  process  that  delivers  a  formal  specification  and 
allows  maintenance  of  the  specification.  The  task  of  requirements  engi¬ 
neering  is  to  find  a  way  from  the  informal  and  unstructured  requirements 
to  a  precise  (formal)  and  structured  description  of  the  system  to  be  devel¬ 
oped.  We  developed  a  set  of  concepts  and  developed  a  tool  to  support 
a  process  using  these  concepts.  This  tool  is  strongly  integrated  into  the 
AutoFocus  tool.  The  process  has  following  iterative  steps  (need  not  to  be 
performed  in  this  order): 

•  Getting  Requirements.  The  requirements  are  elicited.  This  can  be  done 
by  interviews,  workshops  etc. 
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•  Refinement  and  Development.  The  given  information  is  structured  in 
a  refinement  relation.  The  task  is  here  to  justify  the  existence  of  re¬ 
quirements.  The  sources  of  these  relations  are  business  goals. 

•  Structuring  Requirements.  The  requirements  are  structured  by  clas¬ 
sification  and  by  model  elements.  According  to  their  classification 
the  requirements  can  be  connected  to  formal  model  elements.  They 
can  either  motivate  the  existence  of  an  element  or  they  can  describe 
a  property  of  the  element. 

•  Analysis  and  Completion/Correction.  The  models  are  used  to  guide  the 
requirements  engineers  to  ask  questions  regarding  the  completeness 
and  the  consistency  of  the  specification  and  thus  revise  the  specifica¬ 
tion. 

The  method  has  been  developed  for  the  following  views:  Structure,  model, 
and  data-type. 

We  have  developed  the  specification  framework  FIRE  ("Formal  and  Infor¬ 
mal  Requirements  Embedding")  that  integrates  informal  and  formal  require¬ 
ments,  defines  their  relationships,  and  sets  the  foundation  for  require¬ 
ments  pre-  and  post-tracing.  Within  that  framework,  we  have  focused 
on  the  details  of  formally  capturing  requirements;  therefore  we  have  de¬ 
veloped  a  formal  language,  which  bases  on  the  AutoFocus  formalism 
[FISSS96,  SH99],  and  which  extends  it  with  new  elements  and  mecha¬ 
nisms.  The  interaction  view  of  AutoFocus  (sequence  charts)  was  ex¬ 
tended  and  adapted  to  the  project's  scope.  This  allows  formalizing  many 
types  of  functional  requirements. 

The  requirements  engineering  process  FIRE  and  the  requirements  tracing 
tool  support  AutoRAID  [Tea04b]  was  documented  by  publications: 

•  Bernhard  Schatz,  Markus  Pister,  and  Alexander  Wisspeintner.  An- 
forderungsanalyse  in  der  modellbasierten  Entwicklung  am  Beispiel 
von  AutoFocus.  Softwaretechnik-Trends,  24(1),  2004.  In  German 

•  Bernhard  Schatz,  Andreas  Fleischmann,  Eva  Geisberger,  and  Markus 
Pister.  Model-based  requirements  engineering  with  autoraid.  In  Pro¬ 
ceedings  oflnformatik  2005  Workshop  Modellbasierte  Qualitdtssicherung, 
2005 

•  Bernhard  Schatz,  Andreas  Fleischmann,  Eva  Geisberger,  and  Markus 
Pister.  Modellbasierte  Anforderungsentwicklung.  In  Workshop 
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" Object-Orientied  Software-Engineering"  (OOSE),  NetObjectDays  2005, 
September  2005.  In  German 


Requirements  Tracing  Tool  Integration  Prototype  In  the  project  pro¬ 
posal  we  have  suggested  to  realize  an  integration  of  the  requirements 
management  tool  DOORS  from  Telelogic  and  the  CASE  tool  AutoFocus 
to  allow  for  requirements  tracing  between  textual  requirements  and  Auto- 
FOCUS  model  elements.  After  investigating  the  technical  possibilities  for 
integrating  the  tools  we  concluded  that  a  tight  integration  using  one  joint 
data  repository  is  not  possible. 

In  consequence  of  this  fact,  the  proposed  requirements  engineering  func¬ 
tionality  was  realized  directly  as  part  of  our  AutoFocus  CASE  tool.  The 
AutoRAlD  extension  [Tea04b]  of  AutoFocus  has  been  built.  For  a  docu¬ 
mentation  of  AutoRAlD,  see  [Tea04a]. 


Modeling  Formal  Requirements  We  developed  a  new  diagram  type  - 
the  Service  Configuration  Diagram  -  that  is  integrated  into  our  description 
technique  AutoFocus.  This  diagram  type  is  used  to  describe  changes  of 
active  functionalities  during  system  execution.  In  [KSTW04]  we  have  de¬ 
scribed  a  service  based  modeling  process  using  the  Service  Configuration 
Diagrams.  In  contrast  to  most  component  based  approaches  our  method 
focuses  on  identifying  single  system  functionalities.  The  modeling  pro¬ 
cess  is  applicable  during  both  requirements  analysis  and  design  phase. 
The  modeling  process  together  with  the  AutoFocus  description  technique 
and  the  new  Service  Configuration  Diagrams  are  suitable  for  modeling 
user  requirements  in  a  precise  way. 

We  further  worked  on  semi-automatically  extracting  formal  ontologies 
from  informal  requirement  specifications.  The  work  is  presented  in  the 
PhD.  thesis  of  Feonid  Kof: 

•  Feonid  Kof.  Text  Analysis  for  Requirements  Engineering.  PhD  thesis, 
Technische  Universitat  Miinchen,  2005 

The  AutoFocus  semantics  is  message  asynchronous  and  time  syn¬ 
chronous  according  to  the  classification  given  in  [SBFIW03].  The  time  syn¬ 
chrony  is  responsible  for  the  existence  of  implicit  time  constraints  in  the 
AutoFocus  models.  The  time  constraints  are  reasonable  within  design 
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models  but  within  the  context  of  requirements  analysis  models,  it  is  often 
desirable  to  abstract  from  time  and  only  consider  the  core  functionalities. 

We  decided  to  develop  a  time  asynchronous  semantics  for  the  classic 
AutoFocus  diagram  types  System  Structure  Diagram  (SSD)  and  State  Tran¬ 
sition  Diagram  (STD).  This  semantics  is  based  on  the  given  time  syn¬ 
chronous  AutoFocus  semantics,  abstracts  from  time  constraints  and  is 
suitable  for  modeling  requirements.  The  semantics  is  formalized  using 
a  translation  between  AutoFocus  and  the  specification  language  Focus 
[BS01]. 

The  core  ideas  of  the  new  semantics  were  published  in: 


•  Manfred  Broy.  Time,  abstraction,  causality,  and  modularity  in  inter¬ 
active  systems.  In  TESCA  2004.  Workshop  at  ETAPS  2004,  pages  1-8, 
2004 

The  formal  specification  language  SALT  was  developed  and  documented 
mainly  within  the  master  thesis  by  Jonathan  Streit  [Str06]: 


•  Jonathan  Streit.  Development  of  a  programming  language  like  tem¬ 
poral  logic  specification  language.  Master's  thesis,  Fakultat  fur  Infor- 
matik,  Technische  Universitat  Miinchen,  2006.  URL  http  :  /  /  salt . 
in . turn . de 

Its  gist  was  presented  to  the  research  community  in  the  following  publica¬ 
tion  [BLS06]: 

•  Andreas  Bauer,  Martin  Leucker,  and  Jonathan  Streit.  SALT — 

structured  assertion  language  for  temporal  logic.  In  Proceedings  of  the 
Eighth  International  Conference  on  Formal  Engineering  Methods,  Lecture 
Notes  in  Computer  Science,  September  2006 

The  work  and  its  extensions  is  extensively  documented  on  SALT'S  home- 
page  at  salt .  in  .  turn .  de. 

The  time  asynchronous  semantics  for  the  classic  AutoFocus  diagram 
types  System  Structure  Diagram  (SSD)  and  State  Transition  Diagram  (STD) 
were  formalized  and  documented  in  the  dissertation  (Ph.D.  thesis)  of 
Alexander  WiBpeintner  [WiS06]: 


8 


•  Alexander  WiSpeintner.  Verhaltensinvariante  Transformation  von  En- 
twurfsmodellen  Reaktiver  Systeme  -  Eine  Adaption  der  Refactoring- 
Technik  anf  gezeitete  Modelle  unter  Verwendung  eines  formalen  Verhal- 
tensaqnivalenzbegriffs.  Dissertation,  Fakultat  fur  Informatik,  Technis- 
che  Universitat  Miinchen,  2006.  In  German 

2.2  Verification  of  Synchronous  Systems 

For  verifying  synchronous  systems  we  anticipated  the  integration  of  two 
established  verification  tools  in  the  AutoFocus  framework,  namely  PVS 
(from  SRI  International,  [Rus97,  OS99])  and  STeP  (from  Stanford  Univer¬ 
sity,  [MtSg95]).  After  consulting  SRI  International  we  decided  to  realize 
an  AutoFocus-SAL  translation  instead  of  an  AutoFocus-PVS  translation. 
The  reasons  for  this  decision  are  given  in  the  following  paragraphs.  This 
translation  was  designed  during  a  one  month  stay  at  SRI  International 
in  Menlo  Park  (see  Section  2.6)  in  close  collaboration  with  the  respective 
provider  of  the  verification  tool. 

SAL  [ShaOO,  BGL+00,  dMOS03]  provides  a  very  powerful  verification 
environment  for  synchronous  and  asynchronous  systems  by  combining 
model  checking  with  decision  procedures  (ICS,  [FORSOl]).  Therefore 
SAL  is  particularly  suitable  for  performing  verification  tasks  on  Auto- 
Focus-models  and  we  expect  significantly  better  results  from  an  Auto- 
Focus-SAL-STeP  integration  than  from  an  AutoFocus-PVS-STeP  integra¬ 
tion.  However,  an  AutoFocus-PVS  translation  might  be  a  future  issue 
and  is  presumably  realized  by  SRI  International  as  a  PVS-SAL  integration 
[For03], 

The  AutoFocus-SAL  integration  is  straightforward,  as  SAL  supports  syn¬ 
chronous  composition  and  the  required  data  type  constructs.  The  design 
of  the  translation  from  AutoFocus  to  SAL  was  constructed  in  collabora¬ 
tion  with  the  Computer  Science  Laboratory  of  SRI  International.  It  is  doc¬ 
umented  in  [Wis06]  and  we  have  prototypically  implemented  the  transla¬ 
tion  within  the  AutoFocus-Quest  framework. 

Concerning  the  anticipated  STeP  [MtSg95]  translation,  the  synchronous 
AutoFocus  models  have  to  be  transformed  into  asynchronously  commu¬ 
nicating  STeP  models  with  an  appropriate  synchronization  mechanism. 
For  the  actual  translation  we  choose  an  interleaving  model  for  represent¬ 
ing  parallel  composed  AutoFocus  components,  as  an  explicit  generation 
of  the  cross  product  of  the  component's  transition  relation  leads  to  un¬ 
suitable  large  transitions.  Due  to  the  use  of  the  interleaving  composi- 
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tion,  the  verification  properties  have  to  be  strengthened  in  order  to  hold 
for  the  interleaving  system.  In  collaboration  with  Zohar  Manna's  group 
from  Stanford  University,  we  performed  experiments  toward  systemati¬ 
cally  strengthening  properties  for  inductive  proofs  on  interleaving  system 
models. 

In  general,  however,  interactive  verification  approaches  turn  out  to  be  time 
consuming.  We  therefore  decided  to  extend  AutoFocus's  automatic  and 
lightweight  verification  capabilities.  Within  the  work  topic  "verification 
tools"  we  integrated  the  explicit  state  model  checker  SPIN  [Hol97,  Hol03] 
into  the  AutoFocus  CASE  tool.  The  work  was  partly  done  within  the 
following  master  thesis: 

•  Markus  Strohmeier.  Modellbasierte  Validierung  verteilter  Kompo- 
nenten:  Kopplung  von  AutoFocus  und  SPIN.  Diplomarbeit,  Tech- 
nische  Universitat  Miinchen,  January  2005.  In  German 

Furthermore,  we  integrated  Stanford's  LOLA  system  [DSS+05]  for  run¬ 
time  verification  into  AutoFocus,  allowing  to  find  bugs  while  simulating 
models,  even  when  model  checking  approaches  fail  due  to  too  large  state 
spaces.  Additionally,  Andreas  Bauer  examined  extensions  to  runtime  ver¬ 
ification,  especially  in  his  thesis: 

•  Andreas  Bauer.  Model-based  runtime  analysis  of  distributed  reactive 
systems.  PhD  thesis,  Institut  fur  Informatik,  Technische  Universitat 
Miinchen,  2007 

Abstraction  techniques  in  the  context  of  AutoFocus  have  been  worked 
out  in  the  following  master  thesis  [Sas06]: 

•  Ernst  Sassen.  Abstrakte  Modellinterpretation:  Design  und  pro- 
totypische  Implementierung  eines  Abstrakten  Modell-Interpreters. 
Master's  thesis,  Fakultat  fur  Informatik,  Technische  Universitat 
Miinchen,  2006 


2.3  Testing  Synchronous  Systems 

In  [PLP04]  we  presented  a  CLP  (Constraint  Logic  Programming)  based 
test  case  generator  integrated  into  the  AutoFocus  CASE  tool. 
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The  CLP  based  test  case  generator  was  used  to  extract  test  cases  from  a 
formal  communication  protocol  specification.  These  test  cases  were  used 
to  validate  the  informal  parts  of  the  protocol  specification  with  the  aim  to 
identify  ambiguities.  Furthermore  the  test  cases  were  used  to  carry  out 
hardware  in  the  loop  tests  of  automotive  control  units. 

In  [PP04]  we  classified  and  discussed  different  kinds  of  abstraction  for 
building  test  models  and  using  these  models  for  test  case  generation. 

The  CLP  based  test  case  generator  was  extended  with  a  strategy  for  storing 
sets  of  states  to  enhance  the  efficiency  of  the  initial  version.  This  technol¬ 
ogy  avoids  certain  loops  in  the  search  algorithm  and  therefore  prevents 
the  test  case  generator  from  running  into  infinite  loops. 

A  process  for  developing  special  test  models  based  on  the  AutoFocus 
modeling  language  was  established.  The  test  models  are  used  to  automat¬ 
ically  derive  test  cases  by  applying  the  AutoFocus  test  case  generator. 
Different  abstraction  techniques  are  used  to  derive  test  models  from  exist¬ 
ing  specification  models. 

The  results  of  the  work  are  documented  in  the  following  dissertation  (PhD. 
thesis): 

•  Wolfgang  Ludwig  Johann  Prenninger.  Inkrementelle  Entwicklung  von 
Verhaltensmodellen  zum  Test  von  reaktiven  Systemen.  Dissertation,  Tech- 
nische  Universitat  Miinchen,  July  2005.  In  German 

As  an  alternative  to  the  test  case  generator  developed  by  the  AutoFocus 
team,  the  SAL  test  case  generator  [HdMR04,  FIMR05]  has  also  been  inte¬ 
grated  into  AutoFocus.  For  this,  translations  from  AutoFocus  models 
into  SAL  specifications  are  enriched  by  trap  variables  denoting  the  test 
goal.  Furthermore,  SAL  test  cases  have  to  be  translated  back  to  Auto¬ 
Focus'  data  structures. 

The  concept  of  this  approach  is  documented  in  [Wis06]: 

•  Alexander  Wisspeintner.  Using  the  SAL  automated  test  case  gener¬ 
ator  on  AutoFocus  models.  Technical  note,  Fakultat  fur  Informatik, 
Technische  Universitat  Miinchen,  May  2006 

The  migration  between  existential  and  universal  properties  has  been  ad¬ 
dressed  using  automata  learning  techniques.  Such  learning  techniques 
allow  to  derive  models  comprising  the  complete  system  behavior,  if  only 
some  system  behavior  is  given.  Learning  techniques  for  timed  systems 
have  been  developed  in  [GJL04b,  GJL04a]: 
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•  Olga  Grinchtein,  Bengt  Jonsson,  and  Martin  Leucker.  Learning  of 
event-recording  automata.  In  Proceedings  of  the  Joint  Conferences  FOR¬ 
MATS  and  FTRTFT,  volume  3253  of  Lecture  Notes  in  Computer  Science, 
September  2004 

•  Olga  Grinchtein,  Bengt  Jonsson,  and  Martin  Leucker.  Inference  of 
timed  transition  systems.  In  6th  International  Workshop  on  Verification 
of  Infinite-State  Systems,  volume  138  of  Electronic  Notes  in  Theoretical 
Computer  Science.  Elsevier  Science  Publishers,  2004 

Interestingly,  conformance  test  suites  and  exemplifying  system  behavior 
for  learning  may  coincide,  as  shown  in  [BGJ+05]: 

•  Therese  Berg,  Olga  Grinchtein,  Bengt  Jonsson,  Martin  Leucker,  Har- 
ald  Raffelt,  and  Bernhard  Steffen.  On  the  correspondence  between 
conformance  testing  and  regular  inference.  In  Maura  Cerioli,  edi¬ 
tor,  Fundamental  Approaches  to  Software  Engineering,  FASE'05,  volume 
3442  of  Lecture  Notes  in  Computer  Science,  pages  175-189.  Springer, 
2005 

2.4  Case  Study 

We  have  used  a  small  traffic  lights  specification  as  running  example  for 
illustrating  the  design  of  the  AF-STeP  and  AF-SAL  integrations.  As  real 
drive-by-wire  applications  have  not  been  realized  in  practice  yet,  we  based 
the  evaluation  of  the  requirements  of  the  requirements  engineering  pro¬ 
cess  on  a  specification  of  a  car  control  unit  of  DaimlerChrysler  [HP02], 
The  specification  describes  a  door  control  system  realizing  several  com¬ 
fort  functions,  for  example  central  locking,  electronic  window  lift  and  elec¬ 
tronic  seat  adjustment. 

The  service  based  modeling  process  was  applied  to  model  the  elec¬ 
tronic  seat  adjustment  system  of  a  car.  The  case  study  is  documented  in 
[KSTW04], 

The  test  process  described  in  the  previous  section  was  applied  in  a  con¬ 
crete  case  study.  Subject  of  the  case  study  was  testing  the  network  master 
device  of  a  MOST  (media  oriented  systems  transport)  network,  a  new  net¬ 
work  standard  for  automotive  multimedia  applications.  The  results  of  the 
case  study  are  documented  in  [Pre05,  Chapter  7], 
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We  formulated  a  security  state  model  of  an  EMV  CPA  Card  Application 
[EMV05]  in  AutoFocus  for  deriving  test  cases  showing  conformance  of  an 
implementation  with  the  standard.  For  this,  we  applied  the  AutoFocus- 
SAL  test  case  generator. 

In  the  Common  Component  Modeling  Example  Contest  [BFH+07]  we 
showed  how  to  specify  and  develop  a  cash  desk  application,  which  is 
a  typical  distributed  system  consisting  of  embedded  controllers  (e.  g. 
a  credit  card  reader  or  the  barcode  scanner)  as  well  as  components  for 
data  storage  (e.  g.  the  inventory).  For  specification  and  development 
we  were  using  AutoFocus  with  its  component-oriented  FOCUS  based 
approach.  There  we  applied  a  rigorous  development  process  based  on 
different  levels  of  abstraction,  which  trace  from  requirements  to  imple¬ 
mentation.  These  comprise  the  partial  behavior  descriptions  of  applica¬ 
tion  services,  total  behavior  descriptions  of  logical  components  and  the 
deployment  of  the  complete  system  in  a  defined  execution  environment, 
which  resembles  the  FOCUS  semantics.  The  implementation  was  gath¬ 
ered  by  code  generation  from  the  AutoFocus  model.  The  results  of  this 
case  study  are  described  in: 

•  Manfred  Broy,  Jorge  Fox,  Florian  Holzl,  Dagmar  Koss,  Marco 
Kuhrmann,  Michael  Meisinger,  Birgit  Penzenstadler,  Sabine 
Rittmann,  Bernhard  Schatz,  Maria  Spichkova,  and  Doris  Wild. 
Service-oriented  modeling  of  cocome  with  focus  and  autofocus. 
In  The  Common  Component  Modeling  Example:  Comparing  Software 
Component  Models,  FNCS.  Springer,  November  2007.  to  appear 


2.5  Project  Documentation 

The  project  documentation  evolved  with  the  project  progress.  In  total 

•  2  journal  papers  [SPW04,  PFP04], 

•  4  conference  papers  [PP04,  GJF04b,  BGJ+05,  BFS06], 

•  6  workshop  papers  [KSTW04,  SFGP05a,  SFGP05b,  Bro04b,  GJF04a, 
BFH+07], 

•  1  technical  report  [Wis06], 

•  4  PhD  theses  [Kof05,  Pre05,  Wifi06,  BauO 7], 
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•  4  MSc  theses  [Str05,  Han05,  Str06,  Sas06],  and 

•  1  BSc  thesis  [Fab05] 

have  been  written  by  our  group  with  (partial)  support  by  the  project. 

The  AutoRAlD  tool  is  further  described  in  [Tea04a,  Tea04b],  SALT  is  doc¬ 
umented  also  on  SALT's  homepage  at  salt .  in  .  turn .  de. 


2.6  Cooperation  with  US  Institutes 

A  side  objective  of  the  project  was  the  establishment  of  cooperations  with 
leading  US  institutes  in  the  project's  research  areas.  Within  a  one  month 
stay  of  the  two  research  associates  Heiko  Loetzbeyer  and  Alexander  Wis- 
speintner  at  SRI  International  in  Menlo  Park,  we  could  initiate  tighter  co¬ 
operations  with  SRI  International  and  Stanford  University.  Martin  Lencker 
was  visiting  SRI  too,  as  well  as  Stanford  University  (REACT  Group).  Fur¬ 
thermore  Bernhard  Schdtz  was  visiting  the  Center  for  Hybrid  and  Embed¬ 
ded  Software  Systems  at  the  University  of  California,  Berkeley. 


SRI  International: 

In  collaboration  with  the  Computer  Science  Laboratory  of  SRI  Interna¬ 
tional  we  designed  the  AutoFocus-SAL  translation  and  examined  the  use 
of  SAL  technology  for  test  case  generation.  Thanks  to  Patrick  Lincoln,  John 
Rushby,  Natarajan  Shankar,  Leonardo  de  Monra,  Ashish  Tiwari  and  Gregoire 
Hamon  for  their  contribution  to  the  translation  and  the  many  discussions 
we  had  during  our  visit  at  SRI  International.  While  working  at  SRI,  we 
experienced  a  strong  commitment  of  SRI  to  our  common  goals  and  intend 
to  continue  our  cooperation  in  future. 


Stanford  University  (REACT  Group): 

The  design  of  AutoFocus-STeP  translation  stems  from  a  cooperation  with 
Zohar  Manna's  REACT  Group  at  Stanford  University.  Henny  Sipma  and 
Matteo  Slanina  made  an  excellent  contribution  to  the  translation  of  Auto- 
FOCUS  models  and  properties  to  STeP.  Furthermore  we  investigated  proof 
tactics  in  STeP  to  verify  AutoFocus  models. 
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Moreover,  we  learned  in  detail  about  the  REACT  Group's  activities  in  run¬ 
time  verification,  resulting  in  the  tool  LOLA.  We  found  out  that  LOLA 
actually  fits  nicely  to  complement  AutoLocus'  heavy-weight  verifica¬ 
tion  techniques  by  so-called  light-weight  verification  techniques.  Special 
thanks  goes  to  Zohar  Manna,  Henny  Sipma,  and  Cesar  Sanchez  for  their 
support. 


Center  for  Hybrid  and  Embedded  Software  Systems  (University  of  Cal¬ 
ifornia  at  Berkeley): 

We  also  visited  Edward  Lee  and  his  group  in  Berkeley.  Edward  Lee's  group 
has  prime  expertise  in  embedded  software  development  with  special  em¬ 
phasis  on  visualization  and  simulation  of  hybrid  systems.  Especially 
within  an  one  month  stay  of  our  team  member  Bernhard  Schatz  in  Berke¬ 
ley  it  was  possible  to  compare  the  different  semantics  of  the  Ptolemy  II 
CASE  tool  and  the  AutoFocus  CASE  tool.  We  realized  a  translation  of 
AutoFocus  models  into  Ptolemy-II  models.  This  work  was  partly  done 
within  the  following  bachelor  thesis: 

•  Stephan  Fabrizek.  Evaluierung  und  Realisierung  eines  Ubergangs 
von  der  AutoFocus  Semantik  in  das  Ptolemy-Framework.  Bachelor 
thesis,  Technische  Universitat  Miinchen,  2005.  In  German 

Moreover,  Martin  Leucker  visited  Koushik  Shen  at  Berkeley,  who  also 
works  on  runtime  verification  topics. 


Department  of  Computer  Science,University  of  California,  Santa  Cruz: 

Martin  Leucker  visited  Luca  de  Alfaro,  who  works  (among  other  things)  on 
abstraction  techniques  in  the  context  of  formal  verification. 


Department  of  Computer  Science  and  Engineering,  University  of  Cali¬ 
fornia,  San  Diego: 

Ingolf  Kriiger  from  the  University  of  California,  San  Diego  visited  our 
group  in  Munich  several  times.  We  are  cooperating  in  defining  a  service 
based  approach  for  software  system  development. 
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Siemens  Corporate  Research,  Princeton: 

We  cooperated  with  Siemens  Corporate  Research  at  Princeton.  Gerrit 
Hanselmann  worked  at  the  site  at  Princeton  on  automated  test  case  gen¬ 
eration  and  test  execution  using  the  UML  testing  profile.  He  received  the 
master  degree  for  his  work: 

•  Gerrit  Hanselmann.  An  approach  for  generating  and  executing  tests 
based  on  the  uml  testing  profile.  Diplomarbeit  (master  thesis),  Tech- 
nische  Univeristat  Miinchen,  2005 
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